A known category of anonymiser (a device for hiding addresses of devices in a network behind the anonymiser) for communications applications, is a Network Address Translator (NAT), typically used for hiding addresses. It can be located at an interface between a private network having devices with unregistered IP addresses, and a public or global IP network. Different networks typically each use a particular addressing scheme and number of addresses, one for each node within that network. Thus each network is an address domain, which may or may not overlap with other domains. An address domain may be either public or private with respect to other address domains. For example, an enterprise network can be private with respect to a public network, so that addresses of nodes within enterprise network are not revealed to nodes of the public network. However, addresses of nodes in the public network are available to nodes within the enterprise network.
Without the address hiding provided by NAT, devices on the internal network could be sent packets from unwanted sources. This could leave such devices exposed to spoofing, interception, hacking or denial of service attacks, and so on. Also, the NAT enables a limited number of registered IP addresses to be used, which can save the costs of registering many IP addresses. NATs are also useful to avoid address renumbering in a private network to respond to circumstances such as changing Service Providers, company backbones being reorganized, or Service Providers merging or splitting. NATs are described in Internet Engineering Task Force (IETF) request for comments (RFC) 3022 and 2663.
NATs are typically implemented in the form of software running on conventional hardware, e.g. general purpose processors or DSPs (digital signal processors) or application specific integrated circuits, or firmware. The software is typically written in a conventional language such as C or C++. They are arranged to first read the headers of the packets sent by the devices. The source IP address is altered to a substitute value. The old and new substitute values are stored in a look up table. When a reply packet is received, the NAT value reads the destination IP address field. If it corresponds to a stored substitute value, the NAT uses the look up table to find the original correct IP address. The NAT changes the destination IP address field to the correct address and forwards the packet into the private network to be routed to the destination device. In other words, the NATs use packets flowing from the inside (private network) to the outside (public network), to create a NAT bind and to maintain the NAT bind. NAT binds are specific to a single source address (and sometimes port). This means that in order to create a NAT bind the actual device which will use the bind has to send data packets. These binds are maintained even if the source device is not sending data packets continuously, as in the case of a voice over Internet Protocol (VoIP) gateway with silence suppression and no comfort noise packets, or with one way speech path, or which is on hold.
NATs can use Basic Network Address Translation or Basic NAT, which is a method by which IP addresses are mapped from one group to another, transparent to end users. There is also Network Address Port Translation, or NAPT, which is a method by which many network addresses and their Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports are translated into a single network address and its TCP/UDP ports. The term “traditional NAT” refers to both these. Unless mentioned otherwise, the term NAT, as used in this specification, will mean traditional NAT, and to the devices performing these functions, Network Address Translators, and Network Address and Port Translators.
One important service which is provided over such networks is VoIP. This is typically achieved using a control node which is part of a service provider's own network, connected to a public network via an address translation function such as a NAT. This involves call set up processes including sending signalling packets using several different protocols to set up a call path in each direction between the source and destination entities. Once the call has been set up, actual media packets can be sent between the two entities to carry out the call. Media gateways are used to allow user terminals or endpoints to access a packet-based network. For example, the media gateways each comprise a codec which is used to convert speech signals into digitised, packetised data suitable for transmission over the enterprise packet data network.